Carbanak
Carbanak, also known as Anunak, is a privately developed, highly full-featured Windows backdoor and financial intrusion toolkit widely associated with FIN7 (also referred to in some reporting as the Carbanak Group). It has been described as one of the most studied financial APT toolkits and has been linked to large-scale financially motivated intrusions, including campaigns against banks and financial institutions across Eastern Europe, the U.S., the Middle East, and parts of Asia, as well as sustained FIN7 activity against U.S. restaurant and hospitality organizations since mid-2015. Reporting in the provided content attributes Carbanak-related operations to FIN7 in Mandiant investigations and notes estimated losses exceeding $1B from financial institutions.
The malware supports extensive post-exploitation and remote access functionality. Documented capabilities in the content include enabling concurrent RDP sessions, creating Windows accounts, proxying connections into isolated network segments via a tunnel command, monitoring users with a video command, and use of plugins for VNC and Ammyy Admin. Operators also used legitimate remote administration tools including Ammyy Admin and TeamViewer for interactive command and control. The content further notes use of commands such as runmem to download and execute payloads directly in memory, and references tooling overlap with Cobalt Strike, Meterpreter, Mimikatz, Metasploit, SpicyOmelette, CobtInt, ATMSpitter, Buhtrap, and Cyst in FIN7/Carbanak-related operations.
For command and control, Carbanak encodes HTTP message bodies with Base64 and checks HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configuration information. Separate reporting in the content states that Carbanak used a VBScript named ggldr that leveraged Google Apps Script, Google Sheets, and Google Forms as C2-related services. The malware also employed anti-analysis and evasion techniques: about 17% of analyzed samples attempted to detect a virtual sandbox before execution, and 95% of samples in one Lastline dataset obfuscated internal data by hiding network activity through code injection and creating .exe files masquerading as system files. FIN7 also signed Carbanak payloads with legally purchased code-signing certificates.
The content indicates Carbanak builds were likely generated through a builder or build tool that customized each sample with per-sample encrypted strings, changing encryption keys, campaign codes, and C2 configuration. Researchers observed rapid recompilation with small functional differences between builds, discovery of 64-bit variants, and some 64-bit samples configured to remain dormant until a specified activation date. The malware’s source code and operator tooling were later discovered in leaked archives, confirming the existence of builders and a large supporting toolset.
High-confidence indicators and artifacts directly mentioned in the content include the registry path HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy discovery and the staging location C:\intel\Logs\*.{ps1,vbs,js,exe,dll,bat,cpl}. The content also notes that filenames such as "source code of carbanak backdoor discovered" were used as social-engineering lures in unrelated malware campaigns and are not unique indicators of Carbanak itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit. CTU researchers assess with moderate confidence that GOLD KINGSWOOD is associated with, and may be a progression of the group referred to as Carbanak...
FIN7 has signed Carbanak payloads with legally purchased code signing certificates.
Carbanak has a plugin for VNC and Ammyy Admin Tool. Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.
Carbanak (aka Anunak) is one of the most studied financial APT toolkits in history, attributed to FIN7/Carbanak Group, responsible for an estimated $1B+ in losses from financial institutions.
The Carbanak lure warrants attention. Targeting security researchers and threat analysts with fake malware source code is a tactic previously associated with North Korean operations (Lazarus Group), though it is also used by sophisticated cybercrime groups.
Annotations ID Technique Tactic T1219 Remote Access Tools Command And Control BlackByte Carbanak Cobalt Group
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesVictims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.
Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.
Initial Access
1 technique“FIN7 primarily targets… using: T1566 – Spearphishing (for credentials and credit card information)”
Execution
3 techniquesWhen victims open these MSIX packages, the StartingScriptWrapper.ps1 component launches embedded PowerShell scripts that employ process injection to execute POWERTRASH and Carbanak malware... The third identified threat, the FakeBat cluster, also uses Advanced Installer but executes malicious PowerShell scripts via StartingScriptWrapper.ps1.
Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell. | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'
Since mid-2023, multiple threat actors have been observed abusing MSIX files to deliver various malware payloads... When victims open these MSIX packages...
Persistence
2 techniquesAPT3 has been known to create or enable accounts, such as support_388945a0 . ... APT5 has created Local Administrator accounts to maintain access ... DarkGate creates a local user account, SafeMode, via net user commands.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
2 techniquesA majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection...
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
6 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
A majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection...
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Environmental awareness allows malware samples to detect the underlying runtime environment of the system it is trying to infect... search for differences between a virtualized and bare metal environment... about one in five (17%) samples of the Carbanak malware samples analyzed by Lastline tried to detect a virtual sandbox before executing.
Credential Access
1 techniqueDiscovery
3 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Environmental awareness allows malware samples to detect the underlying runtime environment of the system it is trying to infect... search for differences between a virtualized and bare metal environment... about one in five (17%) samples of the Carbanak malware samples analyzed by Lastline tried to detect a virtual sandbox before executing.
Lateral Movement
2 techniquesGOLD KINGSWOOD is a cybercriminal group that uses tactics more commonly associated with government-sponsored threat actors to infiltrate the internal networks of financial institutions around the globe.
During the 2025 Poland Wiper Attacks, adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.
Collection
1 technique"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
6 techniquesBS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
This analytic story addresses the increasing trend of adversaries leveraging MSIX installers to deliver malware... multiple threat actors have been observed abusing MSIX files to deliver various malware payloads.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Impact
1 techniqueGOLD KINGSWOOD has also attempted to move funds using the SWIFT network and has attacked other financial systems such as credit card processing systems and payment gateways.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
76 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A historically significant financial intrusion toolkit/backdoor associated in the content with FIN7/Carbanak Group and major theft from financial institutions.
Referenced as a famous backdoor used as bait in the lure filename; the content explicitly states the sample is not actual Carbanak source code.
Referenced as a famous backdoor used as bait in the lure filename; the content explicitly states the sample is not actual Carbanak source code.
Backdoor malware referenced in the campaign as a fake 'Carbanak source code' lure used for social engineering against security researchers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.